Migration from Oracle Is Easier Than You Think

Planning a Migration from Oracle?

Are you running a legacy Oracle IAM stack? Are you tired of the painful million-dollar upgrades with every release? Are you worried about the loss of functionality after you upgrade to those “newer” releases? Are you worried about the end of support of your critical IAM infrastructure? Worse yet, a statement of direction that they are “feature complete”? Let me tell you how you can have a modern IAM system co-exist with the current legacy Oracle system, add immediate value to your business as you plan a phased approach to migration from Oracle.

Enter ForgeRock: A Better Approach to IAM

It’s  time to look for a better approach to your IAM needs from a company future-minded and focused solely on solving IAM challenges whether they are EmployeeConsumer or IoT Devices and everything else in between. The ForgeRock Identity Platform securely stores, authenticates, and manages identities in a single integrated solution so that you can extend it to integrate with your business apps whether they run on-prem, in the cloud, or in a hybrid model. With the latest DevOps capabilities natively supported by the platform, you can also run the ForgeRock platform anywhere you choose.

OAM Graphic - Blog.png


Starting a Migration from Oracle to ForgeRock

The first step to migrate from Oracle to ForgeRock is acknowledging that you have a legacy IAM problem and that you are willing to take the necessary corrective action. If you need help coming to these terms, visit our Modernize IAM page for why ForgeRock is a better modern platform for your growing business needs.

The Top 3 Integration Approaches to Migration from Oracle Access Manager (OAM)

Assuming you are ready, let’s discuss some of the various integration options available within the coexistence model and various pros and cons of each approach.

Option 1: ‘No Password’ Integration

In this approach, you protect the OAM login page with a ForgeRock Policy Agent and then change the Oracle Access Manager authentication scheme to LDAPNoPasswordValidationScheme and some custom OAM login page changes to read the ForgeRock AM headers and then submit that to OAM without a password.

With this approach, whenever a user tries to log in to an application protected by OAM, they will be first redirected to a ForgeRock login and after that they will be redirected back to OAM which will authenticate based on the username in the header without prompting for the password a second time giving the seamless SSO experience to the end users.

This is the simplest of integrations and has been used by Oracle customers in production to integrate with non-Oracle SSO solutions. However, this approach also introduces many security concerns that cannot be detailed in this blog, so we do not recommend this approach in many cases.

Option 2: Federation Based Integration

Both Oracle and ForgeRock support the SAML standards for integration and so in this approach you will configure them to be federation partners. There are some considerations for which one should be Service Provider (SP) and which one should be Identity Provider (IdP), but our recommendation would be to have ForgeRock as the IdP so that you can leverage many of the Intelligent Authentication features built into the solution and for a better overall user experience.

Option 3: SDK Based Integration

In this approach, the ForgeRock and Oracle SDK is used to integrate the solutions much more closely. The OAM WebGate will be replaced with an AM agent or optionally the application can be fronted with IG as a reverse proxy and a smart gateway. The IG allows for session keep alive so that as long as the session is active in one environment, it can be used to keep the other session alive. Similarly, if a session is destroyed in one environment, IG can terminate it in the other.  Single sign-on between the two environments is facilitated by plugins provided by ForgeRock. A request with a valid Oracle Access Manager session to the ForgeRock environment will result in an automatic ForgeRock session creation. Conversely, if the request comes to the ForgeRock environment first, a post authentication plugin will create an Oracle Access Manager session using a custom Authentication Scheme provided by ForgeRock. This Authentication Scheme uses the standard interfaces provided by Oracle.  Hence, the ForgeRock provided plugins ensure seamless single sign-on between the two environments. As a matter of fact, the end user doesn’t really know which environment they are in. This is the preferred approach to integrating the two solutions and it is also explained in more details along with architecture diagrams in the Migration from Oracle Access Manager to ForgeRock Identity and Access Management guide.

Once you acknowledge the need for a better IAM platform and understand the various options, ForgeRock has made everything else simple. Based on experiences from existing customers who have successfully migrated away from Oracle, we have published the guide that details our approach and our phased approach to the migration that will satisfy even the largest and most complex of Oracle deployments.

Is your Oracle environment very complex? Are you worried that this approach may not work for your customizations? ForgeRock can help assessing and planning your Oracle migration.  At ForgeRock, we have experts who have successfully migrated many companies to our modern integrated platform. Contact us to schedule a demo or meeting here.

Here are some additional links that might be of help:

Do you have additional questions or prefer speaking to someone in person? Get in touch here

*** This is a Security Bloggers Network syndicated blog from Forgerock Blog authored by Keith Dalyn. Read the original post at:

Secure Coding Practices